Cross-site scripting (XSS) vulnerability in main/dropbox/index.php in Chamilo LMS before 1.8.8.6 allows remote attackers to inject arbitrary web script or HTML via the category_name parameter in an addsentcategory action.
6.1CVSS
6AI Score
0.003EPSS
Chamilo 1.9.4 has Multiple XSS and HTML Injection Vulnerabilities: blog.php and announcements.php.
6.1CVSS
6.2AI Score
0.001EPSS
Chamilo 1.9.4 has XSS due to improper validation of user-supplied input by the chat.php script.
6.1CVSS
6AI Score
0.001EPSS
6.1CVSS
5.9AI Score
0.001EPSS
A remote code execution vulnerability exists in Chamilo through 1.11.14 due to improper input sanitization of a parameter used for file uploads, and improper file-extension filtering for certain filenames (e.g., .phar or .pht). A remote authenticated administrator is able to upload a file containin...
7.2CVSS
7.4AI Score
0.025EPSS
admin/user_import.php in Chamilo 1.11.x reads XML data without disabling the ability to load external entities.
6.5CVSS
6.6AI Score
0.005EPSS
main/inc/ajax/model.ajax.php in Chamilo through 1.11.14 allows SQL Injection via the searchField, filters, or filters2 parameter.
9.8CVSS
9.9AI Score
0.007EPSS
Chamilo 1.11.14 allows stored XSS via main/install/index.php and main/install/ajax.php through the port parameter.
6.1CVSS
6.2AI Score
0.001EPSS
Chamilo LMS v1.11.14 was discovered to contain a zero click code injection vulnerability which allows attackers to execute arbitrary code via a crafted plugin. This vulnerability is triggered through user interaction with the attacker's profile page.
6.8CVSS
7.3AI Score
0.001EPSS
A Cross-Site Request Forgery (CSRF) in Chamilo LMS 1.11.14 allows attackers to execute arbitrary commands on victim hosts via user interaction with a crafted URL.
8.8CVSS
9AI Score
0.004EPSS
chamilo-lms v1.11.14 is affected by a Cross Site Scripting (XSS) vulnerability in /plugin/jcapture/applet.php if an attacker passes a message hex2bin in the cookie.
6.1CVSS
6AI Score
0.001EPSS
Chamilo LMS v1.11.13 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /blog/blog.php.
6.1CVSS
6.2AI Score
0.001EPSS
A zip slip vulnerability in the file upload function of Chamilo v1.11 allows attackers to execute arbitrary code via a crafted Zip file.
8.8CVSS
8.8AI Score
0.004EPSS
Chamilo 1.11.16 is affected by an authenticated local file inclusion vulnerability which allows authenticated users with access to 'big file uploads' to copy/move files from anywhere in the file system into the web directory.
8.8CVSS
8.3AI Score
0.001EPSS
Command injection in /main/webservices/additional_webservices.php in Chamilo LMS <= v1.11.20 allows unauthenticated attackers to obtain remote code execution via improper neutralisation of special characters. This is a bypass of CVE-2023-34960.
9.8CVSS
9.8AI Score
0.934EPSS
A command injection vulnerability in the wsConvertPpt component of Chamilo v1.11.* up to v1.11.18 allows attackers to execute arbitrary commands via a SOAP API call with a crafted PowerPoint name.
9.8CVSS
9.5AI Score
0.927EPSS
Path traversal in file upload functionality in /main/webservices/additional_webservices.php in Chamilo LMS <= v1.11.20 allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution via arbitrary file write.
9.8CVSS
9.3AI Score
0.004EPSS
Improper sanitisation in main/inc/lib/fileUpload.lib.php in Chamilo LMS <= v1.11.20 on Windows and Apache installations allows unauthenticated attackers to bypass file upload security protections and obtain remote code execution via uploading of .htaccess file. This vulnerability may be exploite...
9.8CVSS
9.9AI Score
0.004EPSS
Chamilo 1.11.x up to 1.11.20 allows users with an admin privilege account to insert XSS in the languages management section.
4.8CVSS
5.2AI Score
0.001EPSS
Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the course categories' definition.
4.8CVSS
5.2AI Score
0.001EPSS
Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the careers & promotions management section.
4.8CVSS
5.2AI Score
0.001EPSS
Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the extra fields management section.
4.8CVSS
5.2AI Score
0.001EPSS
Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the session category management section.
4.8CVSS
5.2AI Score
0.001EPSS
Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the skills wheel.
4.8CVSS
5.2AI Score
0.001EPSS
Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the classes/usergroups management section.
4.8CVSS
5.2AI Score
0.001EPSS
Cross Site Request Forgery (CSRF) vulnerability in Chamilo v.1.11 thru v.1.11.20 allows a remote authenticated privileged attacker to execute arbitrary code.
3.5CVSS
4.9AI Score
0.001EPSS